Field of the Invention
The present invention relates to techniques for tracking user access to resources and data in a distributed computing environment. More specifically, the present invention relates to a method and an apparatus for logging privilege use in a distributed computing environment.
Related Art
Many network-based applications are built upon a shared database system that provides a set of core data services. More specifically, these network-based applications typically store, access, and share information in the structured data storage provided by this shared database system.
Such shared database systems often provide a privileged access level that allows database administrators to create and maintain database structures to store data for application-level operations, but do not include any awareness of the meaning of the application-level operations associated with the stored data. For instance, while such a database system may log table-level operations triggered by applications in response to a user request, the database system typically has no knowledge about the application-level semantic meaning of the triggering operations. Hence, in a network-based application environment, understanding a user's actions, and ensuring that the user does not abuse access privileges, typically involves checking the logs of every application that the user has access to. For instance, when a person leaves a company on bad terms, a security manager who is checking the actions performed by the user in the last week of employment needs to individually check the logs of each application the user may have accessed to determine whether any malicious actions were performed. Searching through such distributed log data is both difficult and inconvenient, which makes obtaining an overall view of system security and a user's operations difficult to achieve.
Hence, what is needed is a method and an apparatus that facilitates auditing user behavior in a distributed computing environment without the above-described problems.